Fix crypto_free zeroing of encryption keys

The zeroing MUST use the correct cipher length as keys can be both longer or shorter than the digest. In one case only some part of the key may end up being zeroed, in the other memory corruption may happen as we zero memory we do not own. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2025-11-27 13:21:11 +03:00 · 2018-10-03 09:14:45 -04:00
parent 7c444c09d7
commit 449954d99a
1 changed files with 5 additions and 5 deletions
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -168,9 +168,6 @@ void crypto_free(struct ssh_crypto_struct *crypto)

    ssh_key_free(crypto->server_pubkey);

-    cipher_free(crypto->in_cipher);
-    cipher_free(crypto->out_cipher);
-
    ssh_dh_cleanup(crypto);
    bignum_safe_free(crypto->k);
 #ifdef HAVE_ECDH
@@ -211,14 +208,17 @@ void crypto_free(struct ssh_crypto_struct *crypto)
    SAFE_FREE(crypto->encryptMAC);
    SAFE_FREE(crypto->decryptMAC);
    if (crypto->encryptkey != NULL) {
-        explicit_bzero(crypto->encryptkey, crypto->digest_len);
+        explicit_bzero(crypto->encryptkey, crypto->out_cipher->keysize / 8);
        SAFE_FREE(crypto->encryptkey);
    }
    if (crypto->decryptkey != NULL) {
-        explicit_bzero(crypto->decryptkey, crypto->digest_len);
+        explicit_bzero(crypto->decryptkey, crypto->in_cipher->keysize / 8);
        SAFE_FREE(crypto->decryptkey);
    }

+    cipher_free(crypto->in_cipher);
+    cipher_free(crypto->out_cipher);
+
    for (i = 0; i < SSH_KEX_METHODS; i++) {
        SAFE_FREE(crypto->client_kex.methods[i]);
        SAFE_FREE(crypto->server_kex.methods[i]);